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DETAILED ACTION 

1 . This office action is in response to applicants' response filed on 09/07/06. 

2. Claims 1, 9 and 13 are amended. 

3. Claim 17 are cancelled. 

4. Applicant's arguments with respect to the rejections of claims under 35 USC § 
103 have been fully considered and are persuasive. Therefore, the rejections have 
been withdrawn. However, upon further consideration of the amended claims, a new 
ground(s) of rejection is made. 

5. When responding to the Office action, Applicant is advised to clearly point out the 
patentable novelty the claims present in view of the state of the art disclosed by the 
reference(s) cited or the objection made. A showing of how the amendments avoid such 
references or objections must also be present See 37 C.F.R. 1.111(c). 

Claim Rejections - 35 USC § 102 

The following is a quotation of the appropriate paragraphs of 35 U.S.C. 102 that 
form the basis for the rejections under this section made in this Office action: 
A person shall be entitled to a patent unless - 

(e) the invention was described in a patent granted on an application for patent by another filed in the 
United States before the invention thereof by the applicant for patent, or on an international application 
by another who has fulfilled the requirements of paragraphs (1), (2), and (4) of section 371(c) of this 
title before the invention thereof by the applicant for patent. 

The changes made to 35 U.S.C. 102(e) by the American Inventors Protection Act 
of 1999 (AIPA) and the Intellectual Property and High Technology Technical 
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Amendments Act of 2002 do not apply when the reference is a U.S. patent resulting 
directly or indirectly from an international application filed before November 29, 2000. 
Therefore, the prior art date of the reference is determined under 35 U.S.C. 102(e) prior 
to the amendment by the AIPA (pre-AlPA 35 U.S.C. 102(e)). 

Claims 1-3, 5 and 9-12 are rejected under 35 U.S.C. 102(e) as being 
anticipated by Sheymov et al (2002/0023227 A1; hereinafter Sheymov). 

Claims 1 and 9 
Sheymov discloses: 

A control system (see, for example, Figs. 1 and 2, box 120, where the analysis 
system corresponds to the recited control system); and 

a decoy server, functionally coupled to the control system, wherein the apparatus 
is placed outside a given internal communication network (see, for example, Figs. 1 and 
2, box 140; [0030]-[0031], where the monitoring system corresponds to the recited 
decoy server), for receiving illegal access data transmitted from a data communication 
device placed outside the internal communication network for a purpose of illegally 
accessing the internal communication network (see, for example, Figs. 1 and 2, boxes 
13, 140 and 150; [0032]-[0037], where the hacker corresponds to the recited data 
communication device), and for taking countermeasures against the illegal access data 
received, further wherein the countermeasures include providing a response pretending 
to originate from the internal communication network (see, for example, Figs. 1 and 2, 
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[0014]-[0015], [0032]-[0037] and [0047]), the response being sent to a network device 
within said given internal communication network to be transmitted by the network 
device to said data communication device (see, for example, Figs. 1 and 2, boxes 110, 
120, 140 and 150; [0032]-[0037] and [0047], where the monitoring system 140 
generates a response and sends via analysis system 120 and intrusion detection 
system 1 10 to the hacker 150). 

Claims 2 and 10 
Sheymov discloses: 

The illegal access data handling apparatus of claim 1, wherein the illegal access 
data handling apparatus is connected to an illegal access data detection device for 
relaying a data communication between a data communication device placed within the 
internal communication network and a data communication device placed outside the 
internal communication network (see, for example, Figs. 1 and 2, boxes 110, 120, 140 
and 150; [0032]-[0037] and [0047]). 

Claims 3 and 11 
Sheymov discloses: 

The illegal access data handling apparatus of claim 2, further comprising: 
a data reception section for receiving the illegal access data from the illegal 
access data detection device (see, for example, Figs. 3 and 4, [0039]-[004] and [0047]); 
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a data analysis section for analyzing the illegal access data received by the data 
reception section (see, for example, Figs. 3 and 4, [0039]-[004] and [0047])); 

a response data generation section for generating response data to the illegal 
access data based upon an analysis result from the data analysis section (see, for 
example, Figs. 3 and 4, [0039]-[004] and [0047]); and 

a data transmission section for transmitting the response data generated by the 
response data generation section to the illegal access data detection device (see, for 
example, Figs. 3 and 4, [0039]-[004] and [0047]). 

Claim Rejections - 35 USC § 103 

The following is a quotation of 35 U.S.C. 103(a) which forms the basis for all 
obviousness rejections set forth in this Office action: 

(a) A patent may not be obtained though the invention is not identically disclosed or described as set 
forth in section 102 of this title, if the differences between the subject matter sought to be patented and 
the prior art are such that the subject matter as a whole would have been obvious at the time the 
invention was made to a person having ordinary skill in the art to which said subject matter pertains. 
Patentability shall not be negatived by the manner in which the invention was made. 

Claims 4, 5, 7, 8, 12, 13 and 17 are rejected under 35 U.S.C. 103(a) as being 
unpatentable over Sheymov et al (2002/0023227 A1; hereinafter Sheymov) in view 
of Osborne et al (6,687,833 B1 ; hereinafter Osborne). 



Claim 4 

Sheymov discloses: 
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The illegal access data handling apparatus of claim 3, wherein the data reception 
section receives an illegal access data from the illegal access data detection device 
(see col. 5, lines 55-61; col. 16, lines 15-20), and wherein the data transmission section 
transmits the response data to the illegal access data detection device (see, for 
example, Figs. 3 and 4, [0039]-[004] and [0047]), 

Sheymov does not expressly discloses that the illegal access data handling 
apparatus includes a capsulation section for decapsulating the encapsulated illegal 
access data received by the data reception section to extract the illegal access data, 
and encapsulates the response data. 

Osborne, however, discloses a system for protecting an internal network from 
attacks originated from entities located in an external network (see Fig. 1; col. 1, lines 
37-49). Osborne further discloses a capsulation mechanism deployed in the security 
components that encapsulate a response to an attacker before transmission (see col. 2, 
lines 28-51; col. 5, lines 1-11; col. 6, (ines 53-67). Therefore, it would be obvious to a 
person of ordinary skill in the art at the time the invention was made to implement a 
capsulation mechanism as taught in Osborne in the system of Sheymov, because it 
would enable the security components of the protected system to decapsulate the 
receiving recursively encapsulated frames and encapsulate the response to an attacker 
(see Osborne, col. 2, lines 32-50). 
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Claims 5 and 12 
Sheymov discloses: 

The illegal access data handling apparatus of claim 3, wherein the response data 
generation section generates response data having same contents as those of 
response data that would be generated by a specific data communication device placed 
in the internal communication network in response to the illegal access data if the 
specific data communication device received the illegal access data (see, for example, 
abstract, [0011], [0036] and [0049]). 

Claim 6 

The illegal access data handling apparatus of claim 3, wherein the data reception 
section receives from the illegal access data detection device communication history 
information indicating a communication history of the illegal access data detection 
device (see, for example, [0007] and [0044]), 

wherein the data analysis section analyzes the communication history 
information received by the data reception section, and generates illegal access data 
designation information designating data transmitted from a given data communication 
device placed outside the internal communication network as the illegal access data 
based upon an analysis result of the communication history information (see, for 
example, [0007] and [0042]-[0044]), and 
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wherein the data transmission section transmits the illegal access data 
designation information generated by the data analysis section to the illegal data 
detection device (see, for example, abstract, [0042]-[0044]). 

Claim 7 

Sheymov discloses: 

The illegal access data handling apparatus of claim 4, wherein the data reception 
section receives the illegal access data having authentication information attached to be 
used for data authentication from the illegal access data detection device, and wherein 
the capsulation section performs the data authentication for the illegal access data by 
using the authentication information (see, for example, [0030], where the analysis 
system verifies the access attempt). 

Claim 8 

Sheymov discloses: 

The illegal access data handling apparatus of claim 7, wherein the capsulation 
section attaches the authentication information to be used for the data authentication for 
the response data to the response data, and wherein the data transmission section 
transmits the response data having the authentication information attached by the 
capsulation section to the illegal access data detection device (see, for example, 
[0036]). 
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Claims 5 and 12 

Regarding claims 5 and 12, Rothermel does not discloses a. decoy device to 
respond to an illegal access attempt by an unauthorized user (e.g. a hacker) with a 
response to have similar content as a true response. 

Osborne teaches a system and a method deploying a network host decoy to 
protect a network against attack by illicit users (see abstract and col. 1 , lines 38-49). 
Osborne further teaches that a deceptive response is sent to an attacker by a pseudo 
host to cause an illusion so that it appears as a real answer originating from a device at 
the protected network (see, for example, col. 4, lines 8-25). 

It would have been obvious to a person of ordinary skill in the at the time 
the invention was made to deploy a decoy device as taught in Osborne in the system of 
Rothermel because it provide a mechanism for better deception and more convincing 
and realistic to a would-be attacker (Osborne, col. 2, lines 52-55). 

Claims 13 and 17 
Sheymov discloses: 

receiving an unauthorized access packet at a data center placed outside the 
internal network, and wherein the unauthorized access packet is redirected from a 
target server residing within the internal network (see, for example, Figs. 1 and 2, boxes 
110, 120, 140 and 150; [0032]-[0037] and [0047]); 

analyzing the received packet to formulate a response packet (see, for example, 
[0038]); 
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sending the response packet to the network device, wherein the network device 
is within the internal network (see, for example, Figs. 1 and 2, boxes 110, 120, 140 and 
150; [0032]-[0037] and [0047], where the monitoring system 140 generates a response 
and sends via analysis system 120 and intrusion detection system 1 10 to the hacker 
150). 

Sheymov does not expressly discloses that the illegal access data handling 
apparatus includes a capsulation section for decapsulating the encapsulated illegal 
access data received by the data reception section to extract the illegal access data, 
and encapsulates the response data. 

Osborne, however, discloses a system for protecting an internal network from 
attacks originated from entities located in an external network (see Fig. 1; col. 1, lines 
37-49). Osborne further discloses a capsulation mechanism deployed in the security 
components that encapsulate a response to an attacker before transmission (see col. 2, 
lines 28-51; col. 5, lines 1-11; col. 6, lines 53-67). Therefore, it would be obvious to a 
person of ordinary skill in the art at the time the invention was made to implement a 
capsulation mechanism as taught in Osborne in the system of Sheymov, because it 
would enable the security components of the protected system to decapsulate the 
receiving recursively encapsulated frames and encapsulate the response to an attacker 
(see Osborne, col. 2, lines 32-50). 



Claim 14 

Sheymov in view of Osborne discloses: 
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The method according to claim 13, further comprising: 

determining if the encapsulated unauthorized access packet was transmitted 
from a client (see, for example, [0040] and [0044]); 

judging whether data of the encapsulated unauthorized access packet came from 
an unauthorized source (see, for example, [0038]); 

analyzing the encapsulated unauthorized access packet based upon data from a 
knowledge base (see, for example, [0043]); and 

notifying a decoy server of the analysis result (see, for example, [0044]). 

Claim 15 

Sheymov in view of Osborne discloses: 
The method according to claim 14, further comprising: 
referring to a client database (see, for example, [0040] and [0044]); and 
collating the encapsulated unauthorized access packet with information 
contained in the client database (see, for example, [0044] and [0050]). 

Claim 16 

Sheymov in view of Osborne discloses: 
The method according to claim 14, further comprising: 
accessing a knowledge base having information associated with past 
encapsulated unauthorized access packets (see, for example, [0043]-[0044]). 
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Conclusion 

The prior art made of record and not relied upon is considered pertinent to 
applicant's disclosure. 

US Patent No. 6,3634,89 B1 to Comay et al. 

Applicant's amendment necessitated the new ground(s) of rejection presented in 
this Office action. Accordingly, THIS ACTION IS MADE FINAL. .See MPEP 
§ 706.07(a). Applicant is reminded of the extension of time policy as set forth in 37 
CFR 1.136(a). 

A shortened statutory period for reply to this final action is set to expire THREE 
MONTHS from the mailing date of this action. In the event a first reply is filed within 
TWO MONTHS of the mailing date of this final action and the advisory action is not 
mailed until after the end of the THREE-MONTH shortened statutory period, then the 
shortened statutory period will expire on the date the advisory action is mailed, and any 
extension fee pursuant to 37 CFR 1.136(a) will be calculated from the mailing date of 
the advisory action. In no event, however, will the statutory period for reply expire later 
than SIX MONTHS from the date of this final action. 

Any inquiry concerning this communication or earlier communications from the 
examiner should be directed to Abdulhakim Nobahar whose telephone number is 571- 
272-3808. The examiner can normally be reached on M-T 8-6. 

If attempts to reach the examiner by telephone are unsuccessful, the examiner's 
supervisor, Gilberto Barron can be reached on 571-272-3799. The fax phone number 
for the organization where this application or proceeding is assigned is 571-273-8300. 
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Information regarding the status of an application may be obtained from the 
Patent Application Information Retrieval (PAIR) system. Status information for 
published applications may be obtained from either Private PAIR or Public PAIR. 
Status information for unpublished applications is available through Private PAIR only. 
For more information about the PAIR system, see http://pair-direct.uspto.gov. Should 
you have questions on access to the Private PAIR system, contact the Electronic 
Business Center (EBC) at 866-217-9197 (toll-free). If you would like assistance from a 
USPTO Customer Service Representative or access to the automated information 
system, call 800-786-9199 (IN USA OR CANADA) or 571-272-1000. 



Abdulhakim Nobahar, Examiner, Art Unit 2132 



November 24, 2006 /Z.^. 
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